How to prevent broadcast storms on the AC

2

WLAN devices support traffic suppression and user isolation to prevent broadcast storms.

Traffic suppression limits traffic rate to prevent broadcast storms caused by broadcast, multicast, or unknown unicast packets. User isolation isolates users to reduce users' broadcast packets and the risk of broadcast storms.

Example for configuring traffic suppression

[Huawei] interface gigabitethernet 0/0/1

[Huawei-GigabitEthernet0/0/1] broadcast-suppression packets 12600 //Set the rate limit in pps for broadcast packets.

[Huawei-GigabitEthernet0/0/1] multicast-suppression packets 25200 //Set the rate limit in pps for multicast packets.

[Huawei-GigabitEthernet0/0/1] unicast-suppression packets 12600 //Set the rate limit in pps for unknown unicast packets.

[Huawei-GigabitEthernet0/0/1] quit

Example for configuring user isolation

For V200R005:

[Huawei-wlan-view] service-set name test

[Huawei-wlan-service-set-test] user-isolate //Set user isolation for service set test.

[Huawei-wlan-service-set-test] quit

[Huawei-wlan-view] quit

For V200R006:

# Configure user isolation for a traffic profile.

system-view

[Huawei] wlan

[Huawei-wlan-view] traffic-profile name p1 //Create a traffic profile.

[Huawei-wlan-traffic-prof-p1] user-isolate l2 //Configure Layer 2 user isolation.

# Configure user isolation in an AP wired port profile.

system-view

[AC6605] wlan

[AC6605-wlan-view] wired-port-profile name wired

[AC6605-wlan-wired-port-prof-wired] mode endpoint

[AC6605-wlan-wired-port-prof-wired] user-isolate l2

[AC6605-wlan-wired-port-prof-wired] quit

[AC6605-wlan-view] ap-group name ap-group1

[AC6605-wlan-ap-group-ap-group1] wired-port-profile wired gigabitethernet 0

Other related questions:
Configuring traffic suppression and storm control on S series switches
For S series switches (except S1700 switches): Traffic suppression and storm control are two security technologies used to limit rates of broadcast, unknown multicast, and unknown unicast packets to prevent storms caused by these packets. Traffic suppression limits traffic rates using traffic rate thresholds, while storm control prevents traffic storms by shutting down interfaces. You can run the following commands to configure traffic suppression: [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] broadcast-suppression cir 100 //Configure broadcast traffic suppression and set the CIR, that is the allowed rate at which broadcast traffic can pass through, to 100 kbit/s. [HUAWEI-GigabitEthernet1/0/0] multicast-suppression 80 //Configure unknown multicast traffic suppression and limit the rate of unknown multicast packets to 80%. [HUAWEI-GigabitEthernet1/0/0] unicast-suppression cir 100 //Configure unknown unicast traffic suppression and set the CIR, that is the allowed rate at which unknown unicast traffic can pass through, to 100 kbit/s. [HUAWEI-GigabitEthernet1/0/0] quit To block outgoing packets on an interface, run the following commands: [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] broadcast-suppression block outbound //Block outgoing broadcast packets on the interface. [HUAWEI-GigabitEthernet1/0/0] multicast-suppression block outbound //Block outgoing unknown multicast packets on the interface. [HUAWEI-GigabitEthernet1/0/0] unicast-suppression block outbound //Block outgoing unknown unicast packets on the interface. [HUAWEI-GigabitEthernet1/0/0] quit You can run the following commands to configure storm control: [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] storm-control broadcast min-rate 1000 max-rate 2000 //Configure storm control on broadcast packets. [HUAWEI-GigabitEthernet1/0/0] storm-control multicast min-rate 1000 max-rate 2000 //Configure storm control on unknown multicast packets. [HUAWEI-GigabitEthernet1/0/0] storm-control unicast min-rate 1000 max-rate 2000 //Configure storm control on unknown unicast packets. [HUAWEI-GigabitEthernet1/0/0] storm-control action block //Set the storm control action to block. [HUAWEI-GigabitEthernet1/0/0] storm-control enable log //Configure the device to record a log when detecting a storm. [HUAWEI-GigabitEthernet1/0/0] storm-control interval 90 //Set the interval for detecting storms. [HUAWEI-GigabitEthernet1/0/0] quit Note: If the storm control action on an interface is block, the interface restores the normal forwarding state when the traffic falls below the lower threshold. If the storm control action is shutdown, the interface cannot restore automatically and you need to run the undo shutdown command to restore it manually.

Prohibit DHCP broadcast packets on S series switch
ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows: 1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets. [Huawei-acl-adv-3001] quit 2. Configure the traffic classifier tc1 to classify packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure the traffic behavior tb1 to deny packets. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

Checking the storm control configuration on an S series switch
For S series switches, you can run the display storm-control [ interface ] command in any view to check information about storm control on an interface.

How to configure broadcast storm control on an interface of a CE series switch
Excessive broadcast packets on inbound and outbound interfaces of a switch will cause broadcast storms. To limit the rate of broadcast packets on an interface, you can configure broadcast storm control on the interface.
For example, you can configure broadcast storm control on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm control broadcast min-rate 1000 max-rate 2000 //Set the lower threshold for storm control to 1000 pps and upper threshold to 2000 pps.
[*HUAWEI-10GE1/0/1] storm control action error-down //Configure the switch to shut down the interface when detecting a broadcast storm.
[*HUAWEI-10GE1/0/1] commit

Methods used to prevent antivirus storms and improve antivirus efficiency
You are advised to deploy antivirus software that is optimized for virtualization platforms, such as Symantec SEP 12.1 and later. (1) Preventing antivirus storms. A control center provides unified scheduling for antivirus tasks. Set automatic virus removal and database update to be performed during low traffic hours. (2) Sharing scan results and improving system efficiency. The HASH value in a VM's scan result file is sent to the control center, which sends this value to other VMs. The antivirus software on other VMs stores a HASH value list locally.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top